This patch-set implements the OA2_INHERIT_CRED flag for openat2() syscall. It is needed to perform an open operation with the creds that were in effect when the dir_fd was opened. This allows the process to pre-open some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged user, while still retaining the possibility to open/create files within the pre-opened directory set. The sand-boxing is security-oriented: symlinks leading outside of a sand-box are rejected. /proc magic links are rejected. The more detailed description (including security considerations) is available in the log messages of individual patches. Changes in v4: - add optimizations suggested by David Laight <David.Laight@xxxxxxxxxx> - move security checks to build_open_flags() - force RESOLVE_NO_MAGICLINKS as suggested by Andy Lutomirski <luto@xxxxxxxxxx> Changes in v3: - partially revert v2 changes to avoid overriding capabilities. Only the bare minimum is overridden: fsuid, fsgid and group_info. Document the fact the full cred override is unwanted, as it may represent an unneeded security risk. Changes in v2: - capture full struct cred instead of just fsuid/fsgid. Suggested by Stefan Metzmacher <metze@xxxxxxxxx> CC: Stefan Metzmacher <metze@xxxxxxxxx> CC: Eric Biederman <ebiederm@xxxxxxxxxxxx> CC: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> CC: Andy Lutomirski <luto@xxxxxxxxxx> CC: Christian Brauner <brauner@xxxxxxxxxx> CC: Jan Kara <jack@xxxxxxx> CC: Jeff Layton <jlayton@xxxxxxxxxx> CC: Chuck Lever <chuck.lever@xxxxxxxxxx> CC: Alexander Aring <alex.aring@xxxxxxxxx> CC: David Laight <David.Laight@xxxxxxxxxx> CC: linux-fsdevel@xxxxxxxxxxxxxxx CC: linux-kernel@xxxxxxxxxxxxxxx CC: linux-api@xxxxxxxxxxxxxxx CC: Paolo Bonzini <pbonzini@xxxxxxxxxx> CC: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> -- 2.44.0